Table of contents
The past twelve months have clearly shown how quickly unforeseen events can significantly disrupt a company’s business processes and cause serious damage or devastating losses. Lockdowns of the economy, obligation to home office, mass illnesses of the workforce, but also massive attacks on the IT of companies in the form of data espionage or hacker attacks are just a few examples. Those who can access professional crisis management or business continuity management in such cases are at an advantage. “Business continuity management”, in English Business Continuity Management (BCM), aims to minimise damage to companies and to take the best possible precautions in the event of serious disruptions. The BCM system defines plans on how regular operations can be resumed in the shortest possible time after an interruption caused by a disruption. In this way, damage can be reduced and existential threats to one’s own and associated companies can be avoided.
Business Continuity Management with ISO 22301
The international ISO 22301 standard helps to consider the most important points for a business continuity management. It creates the understanding and provides the appropriate framework for implementing a BCM system in companies of any industry and size. Like all other requirements for management systems, ISO 22301 demands basic things such as procedures that define systematic operation on an organisation-specific basis.
The disadvantage of introducing a BCM system according to ISO 22301 is its complexity. Core elements such as the business impact analysis (BIA) and the risk assessment must be implemented. Only after the theoretical analysis does the practical implementation take place within the framework of business continuity activities. The tools and consultants usually required for BCM systems according to ISO 22301 also represent an enormous cost factor that many SMEs shy away from. As a result, dealing with risks and the introduction of BCM unfortunately often fall by the wayside completely.
Business continuity management as a pragmatic hands-on approach
However, deterred by the effort involved, doing nothing is the wrong strategy. After all, business continuity management is essential for the survival of almost every company. Viewed soberly, BCM involves technical, organisational and personnel measures in the company to ensure the continuation of the core business after a crisis.
Basically, it is “only” necessary to define and write down at management level which incidents represent an impairment of operations and how they must be dealt with. This ensures that valuable time is saved in the real case, because much of the planning has already been done. This preliminary work can be pragmatically recorded in a simple text document, which should then be stored in a safe place. For the more detailed planning, definition and execution of business continuity activities in the event of an emergency, there are IT Systems that cost only a fraction of the professional BCM tools. Ideally, such a system should work separately from the corporate IT - e.g. web-based as a SaaS solution. This is so important because, for example, in the event of a cyber attack, the company’s entire IT infrastructure is usually shut down. As a decoupled IT solution, the BCM system is self-sufficient and does its work reliably in the crisis situation.
The following six steps show how companies can remain able to make decisions and act in a crisis with the help of such a pragmatic BCM system. These follow the basic idea of the PDCA cycle according to Demming.
Step 1: Thoughtful crisis planning.
At the very beginning there is the plan (plan). Ideally, one should work with a wide variety of scenarios that could cause a crisis situation. The number of possible scenarios can be as large as you like and should at least cover all halfway realistic crisis situations. These actually always include IT breakdowns, hacker attacks, but also - as happened several times last year - mass illnesses of the workforce, environmental disasters, etc. Each scenario now receives a precise definition of the actors involved as well as the necessary measures within the framework of response and recovery plans. Precise instructions for action define who has to do what and when.
**Step 2: Identify the crisis
If a crisis situation arises, the necessary measures should be quickly at hand (Do). Web-based tools have the advantage here that the measures prepared in the plan are available at any time and any place. In this way, the actors named in the plan are mobilised and can immediately start their work to deal with necessary actions, root cause analysis and restoration of the normal state. This can happen, for example, in a defined crisis team or for smaller incidents it can also be in the hands of individuals. In order to be able to start processing as quickly as possible, it is advisable to carry out the mobilisation of the actors automatically instead of relying on printed lists, as these always bear the risk of being out of date.
Step 3: Carry out instructions for action.
The already prepared instructions for action help with the step-by-step processing of the crisis process: for example, steps for analysing the causes, writing a press release or restart plans for the company. The description of the individual measures also helps less experienced staff to carry out and document the activities one after the other. This automatically provides an overview of who has carried out measures, when and with what results, and which measures still need to be completed.
**Step 4: Documentation and flow of information
In addition to the quick reaction and solution of the problem, a complete documentation of the findings, measures or tips is particularly important - not only for legal reasons, but also to further optimise the scenarios for the future. The traceability and evaluation of the measures for further improvement thus cover the point check. In order to be able to do this necessary chronological documentation already during the work, so-called operational logs are helpful instruments. These should be designed in such a way that it is not possible to change the entries later. Besides the handwritten method, systems that store entries in an audit-proof manner are suitable. Digital solutions often offer the advantage that the entries can be made directly available to all those involved and thus significantly improve the flow of information in the crisis.
5. Step: Re-staffing.
If the crisis continues for a longer period of time, a replacement or extension of those currently involved may become necessary. Addressing the issue early ensures that the replacement arrives in time and that the current level of knowledge can be handed over in an orderly manner. Predefined groups or shifts can help simplify this process.
6. Step: Learning from the incident
Once the crisis situation is under control and the organisation has returned to its normal state, follow-up, analysis and, if necessary, optimisation take place. In the PDCA cycle, the last phase (Act) is used for reflection. If optimisation potentials have been identified, the corresponding scenario is changed or supplemented, for example in the actors or recommendations for action. At this point, all the records made during the crisis help.
Being “ahead of the game” with Business Continuity Management
The term “being ahead of the game” is used above all by the emergency services. What is meant is to always be one step ahead of what is happening through sufficient preparation and practice. Only then are organisations able to act rather than react. This is exactly what can be achieved with the hands-on approach, which, if applied consistently, quickly develops into a meaningful catalogue of measures that can be directly applied in practice.
The web-based platform for alarm and crisis management GroupAlarm provides effective support in getting crisis situations under control quickly and pragmatically. This starts with planning and ends with documentation. This reduces financial consequences in the event of an incident and reduces negative effects on the reputation, because a crisis is usually more cost-intensive than the countermeasures.
Implement Business Continuity Management quickly and pragmatically now!
Image sources: Canva Pro